Carelessness invites the HIPAA police

In March, the federal government announced the start of audits to ensure compliance with privacy and security provisions under the Health Insurance Portability and Accountability Act (HIPAA).

If you are a healthcare provider, far from the elaborate schemes of hackers, your greatest threat is more likely to be in carelessness or neglect in your midst. In recent years, the top two issues in the most serious HIPAA investigations related to:

1. Impermissible uses and disclosures of patient information

2. Inadequate safeguards

Often, violations go down to basic lapses in judgment, such as leaving computers containing patient information in unlocked rooms. Here are a few examples, illustrating the type of routine behaviors that lead to investigations:

• In one case involving the Indiana-based Parkview Health System, a physician complained that as she was transitioning to retirement, Parkview employees left 71 cardboard boxes of patient health records unattended in her driveway in a high-traffic area. Parkview settled the case for $800,000.

• In another case, Lahey Hospital and Medical Center, affiliated with Tufts Medical School, settled potential violations for $850,000 after a laptop was stolen from an unlocked treatment room. The feds reported evidence of widespread non-compliance with the HIPAA rules, including failure to conduct thorough risk assessments.

Aside from these more high profile cases, several lesser cases illustrate the everyday situations that spark investigations and lead to corrective action plans. Consider:

• A mental health center failed to provide a notice of privacy practices to a father or his minor daughter, who was a patient at the center.

• A private practice failed to provide a patient access to his medical records.

• After treating a patient injured in a sporting accident, a hospital released the patient’s skull x-ray and other detailed information to a local newspaper. The hospital argued it acted in the public interest, but the feds said the disclosures did not meet the appropriate standard.

• A staff member of a medical practice discussed HIV testing procedures with a patient in a waiting room, and by doing so, disclosed protected health information to others in the room. At this same practice, computer screens displaying patient information were easily visible to patients.

The lesson: Tend to the details, and create a culture that values the protection of patient privacy. It’s a mindset more than anything. The idea of patient information in open view on a computer screen, or on paper, should be as unthinkable as leaving the office doors wide open overnight.

After a recent workshop presentation, a woman asked me to explain the difference between security and privacy. In a medical practice, security relates to keeping patient records in locked rooms, for example, or contingency plans in the event of a natural disaster or power outage.

Security and privacy are inter-related, but privacy is more personal. In an environment where privacy is respected, no one would imagine chatting up HIV testing procedures in a waiting room where others could hear.

Of course, protect against hackers and other potential assaults from the outside. But look carefully around your workplace, and think hard about the real threats as a result of lax procedures. If someone walking by a work station can glimpse the protected health information of a patient, privacy has been violated. Worse yet, what’s to prevent that person from sharing this new found information on social media? Nothing. And if that happens, expect the HIPAA police.

Diane Evans is Publisher of MyHIPAAGuide.com.